git: f4638b16605d - main - www/nginx-devel: update HTTPv3/QUIC patch
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 16 Sep 2022 18:40:55 UTC
The branch main has been updated by osa:
URL: https://cgit.FreeBSD.org/ports/commit/?id=f4638b16605dbdba268739de753a76eeeb9e405d
commit f4638b16605dbdba268739de753a76eeeb9e405d
Author: Sergey A. Osokin <osa@FreeBSD.org>
AuthorDate: 2022-09-16 18:39:57 +0000
Commit: Sergey A. Osokin <osa@FreeBSD.org>
CommitDate: 2022-09-16 18:40:48 +0000
www/nginx-devel: update HTTPv3/QUIC patch
Bump PORTREVISION.
---
www/nginx-devel/Makefile | 2 +-
www/nginx-devel/files/extra-patch-httpv3 | 756 +++++++++++++++----------------
2 files changed, 377 insertions(+), 381 deletions(-)
diff --git a/www/nginx-devel/Makefile b/www/nginx-devel/Makefile
index f925fecee702..95a7f019f86c 100644
--- a/www/nginx-devel/Makefile
+++ b/www/nginx-devel/Makefile
@@ -1,6 +1,6 @@
PORTNAME?= nginx
PORTVERSION= 1.23.1
-PORTREVISION= 4
+PORTREVISION= 5
CATEGORIES= www
MASTER_SITES= https://nginx.org/download/ \
LOCAL/osa
diff --git a/www/nginx-devel/files/extra-patch-httpv3 b/www/nginx-devel/files/extra-patch-httpv3
index 10d7ebf7df4c..d6cada768b21 100644
--- a/www/nginx-devel/files/extra-patch-httpv3
+++ b/www/nginx-devel/files/extra-patch-httpv3
@@ -1,7 +1,7 @@
-diff -r 5da2c0902e8e README
+diff -r a63d0a70afea README
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
-+++ b/README Tue Jul 19 12:13:58 2022 -0400
-@@ -0,0 +1,232 @@
++++ b/README Fri Sep 16 14:00:14 2022 -0400
+@@ -0,0 +1,230 @@
+Experimental QUIC support for nginx
+-----------------------------------
+
@@ -24,15 +24,13 @@ diff -r 5da2c0902e8e README
+
+ The project code base is under the same BSD license as nginx.
+
-+ The code is currently at a beta level of quality and should not
-+ be used in production.
++ The code is currently at a beta level of quality, however
++ there are several production deployments with it.
+
-+ We are working on improving HTTP/3 support with the goal of
-+ integrating it to the main NGINX codebase. Expect frequent
-+ updates of this code and don't rely on it for whatever purpose.
-+
-+ We'll be grateful for any feedback and code submissions however
-+ we don't bear any responsibilities for any issues with this code.
++ We are working on improving HTTP/3 support to integrate it into
++ the main NGINX codebase. Thus, expect further updates of this code,
++ including features, changes in behaviour, bug fixes, and refactoring.
++ We'll be grateful for any feedback and code submissions.
+
+ You can always contact us via nginx-devel mailing list [3].
+
@@ -234,9 +232,9 @@ diff -r 5da2c0902e8e README
+ [6] https://nginx.org/en/docs/http/ngx_http_core_module.html#listen
+ [7] https://nginx.org/en/docs/debugging_log.html
+ [8] http://vger.kernel.org/lpc_net2018_talks/willemdebruijn-lpc2018-udpgso-paper-DRAFT-1.pdf
-diff -r 5da2c0902e8e auto/lib/openssl/conf
---- a/auto/lib/openssl/conf Tue Jun 21 17:25:36 2022 +0300
-+++ b/auto/lib/openssl/conf Tue Jul 19 12:13:58 2022 -0400
+diff -r a63d0a70afea auto/lib/openssl/conf
+--- a/auto/lib/openssl/conf Tue Jul 19 17:05:27 2022 +0300
++++ b/auto/lib/openssl/conf Fri Sep 16 14:00:14 2022 -0400
@@ -5,12 +5,16 @@
if [ $OPENSSL != NONE ]; then
@@ -296,9 +294,9 @@ diff -r 5da2c0902e8e auto/lib/openssl/conf
+ fi
+ fi
fi
-diff -r 5da2c0902e8e auto/make
---- a/auto/make Tue Jun 21 17:25:36 2022 +0300
-+++ b/auto/make Tue Jul 19 12:13:58 2022 -0400
+diff -r a63d0a70afea auto/make
+--- a/auto/make Tue Jul 19 17:05:27 2022 +0300
++++ b/auto/make Fri Sep 16 14:00:14 2022 -0400
@@ -6,9 +6,10 @@
echo "creating $NGX_MAKEFILE"
@@ -312,9 +310,9 @@ diff -r 5da2c0902e8e auto/make
$NGX_OBJS/src/mail \
$NGX_OBJS/src/stream \
$NGX_OBJS/src/misc
-diff -r 5da2c0902e8e auto/modules
---- a/auto/modules Tue Jun 21 17:25:36 2022 +0300
-+++ b/auto/modules Tue Jul 19 12:13:58 2022 -0400
+diff -r a63d0a70afea auto/modules
+--- a/auto/modules Tue Jul 19 17:05:27 2022 +0300
++++ b/auto/modules Fri Sep 16 14:00:14 2022 -0400
@@ -102,7 +102,7 @@ if [ $HTTP = YES ]; then
fi
@@ -475,9 +473,9 @@ diff -r 5da2c0902e8e auto/modules
if [ $USE_PCRE = YES ]; then
ngx_module_type=CORE
ngx_module_name=ngx_regex_module
-diff -r 5da2c0902e8e auto/options
---- a/auto/options Tue Jun 21 17:25:36 2022 +0300
-+++ b/auto/options Tue Jul 19 12:13:58 2022 -0400
+diff -r a63d0a70afea auto/options
+--- a/auto/options Tue Jul 19 17:05:27 2022 +0300
++++ b/auto/options Fri Sep 16 14:00:14 2022 -0400
@@ -45,6 +45,8 @@ USE_THREADS=NO
NGX_FILE_AIO=NO
@@ -565,9 +563,9 @@ diff -r 5da2c0902e8e auto/options
--with-stream_realip_module enable ngx_stream_realip_module
--with-stream_geoip_module enable ngx_stream_geoip_module
--with-stream_geoip_module=dynamic enable dynamic ngx_stream_geoip_module
-diff -r 5da2c0902e8e auto/os/linux
---- a/auto/os/linux Tue Jun 21 17:25:36 2022 +0300
-+++ b/auto/os/linux Tue Jul 19 12:13:58 2022 -0400
+diff -r a63d0a70afea auto/os/linux
+--- a/auto/os/linux Tue Jul 19 17:05:27 2022 +0300
++++ b/auto/os/linux Fri Sep 16 14:00:14 2022 -0400
@@ -232,6 +232,50 @@ ngx_feature_test="struct crypt_data cd;
ngx_include="sys/vfs.h"; . auto/include
@@ -619,9 +617,9 @@ diff -r 5da2c0902e8e auto/os/linux
# UDP segmentation offloading
ngx_feature="UDP_SEGMENT"
-diff -r 5da2c0902e8e auto/sources
---- a/auto/sources Tue Jun 21 17:25:36 2022 +0300
-+++ b/auto/sources Tue Jul 19 12:13:58 2022 -0400
+diff -r a63d0a70afea auto/sources
+--- a/auto/sources Tue Jul 19 17:05:27 2022 +0300
++++ b/auto/sources Fri Sep 16 14:00:14 2022 -0400
@@ -83,7 +83,7 @@ CORE_SRCS="src/core/nginx.c \
EVENT_MODULES="ngx_events_module ngx_event_core_module"
@@ -631,9 +629,9 @@ diff -r 5da2c0902e8e auto/sources
EVENT_DEPS="src/event/ngx_event.h \
src/event/ngx_event_timer.h \
-diff -r 5da2c0902e8e src/core/nginx.c
---- a/src/core/nginx.c Tue Jun 21 17:25:36 2022 +0300
-+++ b/src/core/nginx.c Tue Jul 19 12:13:58 2022 -0400
+diff -r a63d0a70afea src/core/nginx.c
+--- a/src/core/nginx.c Tue Jul 19 17:05:27 2022 +0300
++++ b/src/core/nginx.c Fri Sep 16 14:00:14 2022 -0400
@@ -680,6 +680,9 @@ ngx_exec_new_binary(ngx_cycle_t *cycle,
ls = cycle->listening.elts;
@@ -644,9 +642,9 @@ diff -r 5da2c0902e8e src/core/nginx.c
p = ngx_sprintf(p, "%ud;", ls[i].fd);
}
-diff -r 5da2c0902e8e src/core/ngx_bpf.c
+diff -r a63d0a70afea src/core/ngx_bpf.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
-+++ b/src/core/ngx_bpf.c Tue Jul 19 12:13:58 2022 -0400
++++ b/src/core/ngx_bpf.c Fri Sep 16 14:00:14 2022 -0400
@@ -0,0 +1,143 @@
+
+/*
@@ -791,9 +789,9 @@ diff -r 5da2c0902e8e src/core/ngx_bpf.c
+
+ return ngx_bpf(BPF_MAP_LOOKUP_ELEM, &attr, sizeof(attr));
+}
-diff -r 5da2c0902e8e src/core/ngx_bpf.h
+diff -r a63d0a70afea src/core/ngx_bpf.h
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
-+++ b/src/core/ngx_bpf.h Tue Jul 19 12:13:58 2022 -0400
++++ b/src/core/ngx_bpf.h Fri Sep 16 14:00:14 2022 -0400
@@ -0,0 +1,43 @@
+
+/*
@@ -838,9 +836,9 @@ diff -r 5da2c0902e8e src/core/ngx_bpf.h
+int ngx_bpf_map_lookup(int fd, const void *key, void *value);
+
+#endif /* _NGX_BPF_H_INCLUDED_ */
-diff -r 5da2c0902e8e src/core/ngx_connection.c
---- a/src/core/ngx_connection.c Tue Jun 21 17:25:36 2022 +0300
-+++ b/src/core/ngx_connection.c Tue Jul 19 12:13:58 2022 -0400
+diff -r a63d0a70afea src/core/ngx_connection.c
+--- a/src/core/ngx_connection.c Tue Jul 19 17:05:27 2022 +0300
++++ b/src/core/ngx_connection.c Fri Sep 16 14:00:14 2022 -0400
@@ -72,10 +72,6 @@ ngx_create_listening(ngx_conf_t *cf, str
ngx_memcpy(ls->addr_text.data, text, len);
@@ -865,9 +863,9 @@ diff -r 5da2c0902e8e src/core/ngx_connection.c
c = ls[i].connection;
if (c) {
-diff -r 5da2c0902e8e src/core/ngx_connection.h
---- a/src/core/ngx_connection.h Tue Jun 21 17:25:36 2022 +0300
-+++ b/src/core/ngx_connection.h Tue Jul 19 12:13:58 2022 -0400
+diff -r a63d0a70afea src/core/ngx_connection.h
+--- a/src/core/ngx_connection.h Tue Jul 19 17:05:27 2022 +0300
++++ b/src/core/ngx_connection.h Fri Sep 16 14:00:14 2022 -0400
@@ -73,6 +73,7 @@ struct ngx_listening_s {
unsigned reuseport:1;
unsigned add_reuseport:1;
@@ -887,9 +885,9 @@ diff -r 5da2c0902e8e src/core/ngx_connection.h
#if (NGX_SSL || NGX_COMPAT)
ngx_ssl_connection_t *ssl;
#endif
-diff -r 5da2c0902e8e src/core/ngx_core.h
---- a/src/core/ngx_core.h Tue Jun 21 17:25:36 2022 +0300
-+++ b/src/core/ngx_core.h Tue Jul 19 12:13:58 2022 -0400
+diff -r a63d0a70afea src/core/ngx_core.h
+--- a/src/core/ngx_core.h Tue Jul 19 17:05:27 2022 +0300
++++ b/src/core/ngx_core.h Fri Sep 16 14:00:14 2022 -0400
@@ -27,6 +27,7 @@ typedef struct ngx_connection_s ngx
typedef struct ngx_thread_task_s ngx_thread_task_t;
typedef struct ngx_ssl_s ngx_ssl_t;
@@ -918,9 +916,9 @@ diff -r 5da2c0902e8e src/core/ngx_core.h
#define LF (u_char) '\n'
-diff -r 5da2c0902e8e src/event/ngx_event.c
---- a/src/event/ngx_event.c Tue Jun 21 17:25:36 2022 +0300
-+++ b/src/event/ngx_event.c Tue Jul 19 12:13:58 2022 -0400
+diff -r a63d0a70afea src/event/ngx_event.c
+--- a/src/event/ngx_event.c Tue Jul 19 17:05:27 2022 +0300
++++ b/src/event/ngx_event.c Fri Sep 16 14:00:14 2022 -0400
@@ -267,6 +267,18 @@ ngx_process_events_and_timers(ngx_cycle_
ngx_int_t
ngx_handle_read_event(ngx_event_t *rev, ngx_uint_t flags)
@@ -977,9 +975,9 @@ diff -r 5da2c0902e8e src/event/ngx_event.c
#if (NGX_HAVE_REUSEPORT)
-diff -r 5da2c0902e8e src/event/ngx_event_openssl.c
---- a/src/event/ngx_event_openssl.c Tue Jun 21 17:25:36 2022 +0300
-+++ b/src/event/ngx_event_openssl.c Tue Jul 19 12:13:58 2022 -0400
+diff -r a63d0a70afea src/event/ngx_event_openssl.c
+--- a/src/event/ngx_event_openssl.c Tue Jul 19 17:05:27 2022 +0300
++++ b/src/event/ngx_event_openssl.c Fri Sep 16 14:00:14 2022 -0400
@@ -3149,6 +3149,13 @@ ngx_ssl_shutdown(ngx_connection_t *c)
ngx_err_t err;
ngx_uint_t tries;
@@ -994,9 +992,9 @@ diff -r 5da2c0902e8e src/event/ngx_event_openssl.c
rc = NGX_OK;
ngx_ssl_ocsp_cleanup(c);
-diff -r 5da2c0902e8e src/event/ngx_event_openssl.h
---- a/src/event/ngx_event_openssl.h Tue Jun 21 17:25:36 2022 +0300
-+++ b/src/event/ngx_event_openssl.h Tue Jul 19 12:13:58 2022 -0400
+diff -r a63d0a70afea src/event/ngx_event_openssl.h
+--- a/src/event/ngx_event_openssl.h Tue Jul 19 17:05:27 2022 +0300
++++ b/src/event/ngx_event_openssl.h Fri Sep 16 14:00:14 2022 -0400
@@ -24,6 +24,14 @@
#include <openssl/engine.h>
#endif
@@ -1012,9 +1010,9 @@ diff -r 5da2c0902e8e src/event/ngx_event_openssl.h
#include <openssl/hmac.h>
#ifndef OPENSSL_NO_OCSP
#include <openssl/ocsp.h>
-diff -r 5da2c0902e8e src/event/ngx_event_udp.c
---- a/src/event/ngx_event_udp.c Tue Jun 21 17:25:36 2022 +0300
-+++ b/src/event/ngx_event_udp.c Tue Jul 19 12:13:58 2022 -0400
+diff -r a63d0a70afea src/event/ngx_event_udp.c
+--- a/src/event/ngx_event_udp.c Tue Jul 19 17:05:27 2022 +0300
++++ b/src/event/ngx_event_udp.c Fri Sep 16 14:00:14 2022 -0400
@@ -12,13 +12,6 @@
#if !(NGX_WIN32)
@@ -1029,9 +1027,9 @@ diff -r 5da2c0902e8e src/event/ngx_event_udp.c
static void ngx_close_accepted_udp_connection(ngx_connection_t *c);
static ssize_t ngx_udp_shared_recv(ngx_connection_t *c, u_char *buf,
size_t size);
-diff -r 5da2c0902e8e src/event/ngx_event_udp.h
---- a/src/event/ngx_event_udp.h Tue Jun 21 17:25:36 2022 +0300
-+++ b/src/event/ngx_event_udp.h Tue Jul 19 12:13:58 2022 -0400
+diff -r a63d0a70afea src/event/ngx_event_udp.h
+--- a/src/event/ngx_event_udp.h Tue Jul 19 17:05:27 2022 +0300
++++ b/src/event/ngx_event_udp.h Fri Sep 16 14:00:14 2022 -0400
@@ -23,6 +23,13 @@
#endif
@@ -1046,9 +1044,9 @@ diff -r 5da2c0902e8e src/event/ngx_event_udp.h
#if (NGX_HAVE_ADDRINFO_CMSG)
typedef union {
-diff -r 5da2c0902e8e src/event/quic/bpf/bpfgen.sh
+diff -r a63d0a70afea src/event/quic/bpf/bpfgen.sh
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
-+++ b/src/event/quic/bpf/bpfgen.sh Tue Jul 19 12:13:58 2022 -0400
++++ b/src/event/quic/bpf/bpfgen.sh Fri Sep 16 14:00:14 2022 -0400
@@ -0,0 +1,113 @@
+#!/bin/bash
+
@@ -1163,9 +1161,9 @@ diff -r 5da2c0902e8e src/event/quic/bpf/bpfgen.sh
+process_section
+generate_tail
+
-diff -r 5da2c0902e8e src/event/quic/bpf/makefile
+diff -r a63d0a70afea src/event/quic/bpf/makefile
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
-+++ b/src/event/quic/bpf/makefile Tue Jul 19 12:13:58 2022 -0400
++++ b/src/event/quic/bpf/makefile Fri Sep 16 14:00:14 2022 -0400
@@ -0,0 +1,30 @@
+CFLAGS=-O2 -Wall
+
@@ -1197,9 +1195,9 @@ diff -r 5da2c0902e8e src/event/quic/bpf/makefile
+ llvm-objdump -S -no-show-raw-insn $<
+
+.DELETE_ON_ERROR:
-diff -r 5da2c0902e8e src/event/quic/bpf/ngx_quic_reuseport_helper.c
+diff -r a63d0a70afea src/event/quic/bpf/ngx_quic_reuseport_helper.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
-+++ b/src/event/quic/bpf/ngx_quic_reuseport_helper.c Tue Jul 19 12:13:58 2022 -0400
++++ b/src/event/quic/bpf/ngx_quic_reuseport_helper.c Fri Sep 16 14:00:14 2022 -0400
@@ -0,0 +1,140 @@
+#include <errno.h>
+#include <linux/string.h>
@@ -1341,9 +1339,9 @@ diff -r 5da2c0902e8e src/event/quic/bpf/ngx_quic_reuseport_helper.c
+ */
+ return SK_PASS;
+}
-diff -r 5da2c0902e8e src/event/quic/ngx_event_quic.c
+diff -r a63d0a70afea src/event/quic/ngx_event_quic.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
-+++ b/src/event/quic/ngx_event_quic.c Tue Jul 19 12:13:58 2022 -0400
++++ b/src/event/quic/ngx_event_quic.c Fri Sep 16 14:00:14 2022 -0400
@@ -0,0 +1,1459 @@
+
+/*
@@ -1585,7 +1583,7 @@ diff -r 5da2c0902e8e src/event/quic/ngx_event_quic.c
+ return NULL;
+ }
+
-+ qc->keys = ngx_quic_keys_new(c->pool);
++ qc->keys = ngx_pcalloc(c->pool, sizeof(ngx_quic_keys_t));
+ if (qc->keys == NULL) {
+ return NULL;
+ }
@@ -1672,7 +1670,7 @@ diff -r 5da2c0902e8e src/event/quic/ngx_event_quic.c
+ }
+ }
+
-+ if (ngx_quic_keys_set_initial_secret(c->pool, qc->keys, &pkt->dcid)
++ if (ngx_quic_keys_set_initial_secret(qc->keys, &pkt->dcid, c->log)
+ != NGX_OK)
+ {
+ return NULL;
@@ -2804,9 +2802,9 @@ diff -r 5da2c0902e8e src/event/quic/ngx_event_quic.c
+
+ ngx_quic_finalize_connection(c, qc->shutdown_code, qc->shutdown_reason);
+}
-diff -r 5da2c0902e8e src/event/quic/ngx_event_quic.h
+diff -r a63d0a70afea src/event/quic/ngx_event_quic.h
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
-+++ b/src/event/quic/ngx_event_quic.h Tue Jul 19 12:13:58 2022 -0400
++++ b/src/event/quic/ngx_event_quic.h Fri Sep 16 14:00:14 2022 -0400
@@ -0,0 +1,123 @@
+
+/*
@@ -2931,9 +2929,9 @@ diff -r 5da2c0902e8e src/event/quic/ngx_event_quic.h
+ ngx_str_t *secret, ngx_str_t *salt, u_char *out, size_t len);
+
+#endif /* _NGX_EVENT_QUIC_H_INCLUDED_ */
-diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_ack.c
+diff -r a63d0a70afea src/event/quic/ngx_event_quic_ack.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
-+++ b/src/event/quic/ngx_event_quic_ack.c Tue Jul 19 12:13:58 2022 -0400
++++ b/src/event/quic/ngx_event_quic_ack.c Fri Sep 16 14:00:14 2022 -0400
@@ -0,0 +1,1193 @@
+
+/*
@@ -4128,9 +4126,9 @@ diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_ack.c
+
+ return NGX_OK;
+}
-diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_ack.h
+diff -r a63d0a70afea src/event/quic/ngx_event_quic_ack.h
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
-+++ b/src/event/quic/ngx_event_quic_ack.h Tue Jul 19 12:13:58 2022 -0400
++++ b/src/event/quic/ngx_event_quic_ack.h Fri Sep 16 14:00:14 2022 -0400
@@ -0,0 +1,30 @@
+
+/*
@@ -4162,9 +4160,9 @@ diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_ack.h
+ ngx_quic_send_ctx_t *ctx);
+
+#endif /* _NGX_EVENT_QUIC_ACK_H_INCLUDED_ */
-diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_bpf.c
+diff -r a63d0a70afea src/event/quic/ngx_event_quic_bpf.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
-+++ b/src/event/quic/ngx_event_quic_bpf.c Tue Jul 19 12:13:58 2022 -0400
++++ b/src/event/quic/ngx_event_quic_bpf.c Fri Sep 16 14:00:14 2022 -0400
@@ -0,0 +1,657 @@
+
+/*
@@ -4823,9 +4821,9 @@ diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_bpf.c
+
+ return NGX_OK;
+}
-diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_bpf_code.c
+diff -r a63d0a70afea src/event/quic/ngx_event_quic_bpf_code.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
-+++ b/src/event/quic/ngx_event_quic_bpf_code.c Tue Jul 19 12:13:58 2022 -0400
++++ b/src/event/quic/ngx_event_quic_bpf_code.c Fri Sep 16 14:00:14 2022 -0400
@@ -0,0 +1,88 @@
+/* AUTO-GENERATED, DO NOT EDIT. */
+
@@ -4915,9 +4913,9 @@ diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_bpf_code.c
+ .license = "BSD",
+ .type = BPF_PROG_TYPE_SK_REUSEPORT,
+};
-diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_connection.h
+diff -r a63d0a70afea src/event/quic/ngx_event_quic_connection.h
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
-+++ b/src/event/quic/ngx_event_quic_connection.h Tue Jul 19 12:13:58 2022 -0400
++++ b/src/event/quic/ngx_event_quic_connection.h Fri Sep 16 14:00:14 2022 -0400
@@ -0,0 +1,276 @@
+/*
+ * Copyright (C) Nginx, Inc.
@@ -5195,9 +5193,9 @@ diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_connection.h
+#endif
+
+#endif /* _NGX_EVENT_QUIC_CONNECTION_H_INCLUDED_ */
-diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_connid.c
+diff -r a63d0a70afea src/event/quic/ngx_event_quic_connid.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
-+++ b/src/event/quic/ngx_event_quic_connid.c Tue Jul 19 12:13:58 2022 -0400
++++ b/src/event/quic/ngx_event_quic_connid.c Fri Sep 16 14:00:14 2022 -0400
@@ -0,0 +1,502 @@
+
+/*
@@ -5701,9 +5699,9 @@ diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_connid.c
+
+ return NGX_OK;
+}
-diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_connid.h
+diff -r a63d0a70afea src/event/quic/ngx_event_quic_connid.h
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
-+++ b/src/event/quic/ngx_event_quic_connid.h Tue Jul 19 12:13:58 2022 -0400
++++ b/src/event/quic/ngx_event_quic_connid.h Fri Sep 16 14:00:14 2022 -0400
@@ -0,0 +1,29 @@
+
+/*
@@ -5734,9 +5732,9 @@ diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_connid.h
+ ngx_quic_client_id_t *cid);
+
+#endif /* _NGX_EVENT_QUIC_CONNID_H_INCLUDED_ */
-diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_frames.c
+diff -r a63d0a70afea src/event/quic/ngx_event_quic_frames.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
-+++ b/src/event/quic/ngx_event_quic_frames.c Tue Jul 19 12:13:58 2022 -0400
++++ b/src/event/quic/ngx_event_quic_frames.c Fri Sep 16 14:00:14 2022 -0400
@@ -0,0 +1,844 @@
+
+/*
@@ -6582,9 +6580,9 @@ diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_frames.c
+}
+
+#endif
-diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_frames.h
+diff -r a63d0a70afea src/event/quic/ngx_event_quic_frames.h
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
-+++ b/src/event/quic/ngx_event_quic_frames.h Tue Jul 19 12:13:58 2022 -0400
++++ b/src/event/quic/ngx_event_quic_frames.h Fri Sep 16 14:00:14 2022 -0400
@@ -0,0 +1,43 @@
+
+/*
@@ -6629,9 +6627,9 @@ diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_frames.h
+#endif
+
+#endif /* _NGX_EVENT_QUIC_FRAMES_H_INCLUDED_ */
-diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_migration.c
+diff -r a63d0a70afea src/event/quic/ngx_event_quic_migration.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
-+++ b/src/event/quic/ngx_event_quic_migration.c Tue Jul 19 12:13:58 2022 -0400
++++ b/src/event/quic/ngx_event_quic_migration.c Fri Sep 16 14:00:14 2022 -0400
@@ -0,0 +1,671 @@
+
+/*
@@ -7304,9 +7302,9 @@ diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_migration.c
+ ngx_add_timer(&qc->path_validation, next);
+ }
+}
-diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_migration.h
+diff -r a63d0a70afea src/event/quic/ngx_event_quic_migration.h
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
-+++ b/src/event/quic/ngx_event_quic_migration.h Tue Jul 19 12:13:58 2022 -0400
++++ b/src/event/quic/ngx_event_quic_migration.h Fri Sep 16 14:00:14 2022 -0400
@@ -0,0 +1,42 @@
+
+/*
@@ -7350,10 +7348,10 @@ diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_migration.h
+void ngx_quic_path_validation_handler(ngx_event_t *ev);
+
+#endif /* _NGX_EVENT_QUIC_MIGRATION_H_INCLUDED_ */
-diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_output.c
+diff -r a63d0a70afea src/event/quic/ngx_event_quic_output.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
-+++ b/src/event/quic/ngx_event_quic_output.c Tue Jul 19 12:13:58 2022 -0400
-@@ -0,0 +1,1283 @@
++++ b/src/event/quic/ngx_event_quic_output.c Fri Sep 16 14:00:14 2022 -0400
+@@ -0,0 +1,1292 @@
+
+/*
+ * Copyright (C) Nginx, Inc.
@@ -8284,6 +8282,7 @@ diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_output.c
+{
+ ssize_t len;
+ ngx_str_t res;
++ ngx_quic_keys_t keys;
+ ngx_quic_frame_t frame;
+ ngx_quic_header_t pkt;
+
@@ -8312,12 +8311,11 @@ diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_output.c
+ return NGX_ERROR;
+ }
+
-+ pkt.keys = ngx_quic_keys_new(c->pool);
-+ if (pkt.keys == NULL) {
-+ return NGX_ERROR;
-+ }
++ ngx_memzero(&keys, sizeof(ngx_quic_keys_t));
++
++ pkt.keys = &keys;
+
-+ if (ngx_quic_keys_set_initial_secret(c->pool, pkt.keys, &inpkt->dcid)
++ if (ngx_quic_keys_set_initial_secret(pkt.keys, &inpkt->dcid, c->log)
+ != NGX_OK)
+ {
+ return NGX_ERROR;
@@ -8365,10 +8363,14 @@ diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_output.c
+
+ u_char buf[NGX_QUIC_RETRY_BUFFER_SIZE];
+ u_char dcid[NGX_QUIC_SERVER_CID_LEN];
++ u_char tbuf[NGX_QUIC_TOKEN_BUF_SIZE];
+
+ expires = ngx_time() + NGX_QUIC_RETRY_TOKEN_LIFETIME;
+
-+ if (ngx_quic_new_token(c, c->sockaddr, c->socklen, conf->av_token_key,
++ token.data = tbuf;
++ token.len = NGX_QUIC_TOKEN_BUF_SIZE;
++
++ if (ngx_quic_new_token(c->log, c->sockaddr, c->socklen, conf->av_token_key,
+ &token, &inpkt->dcid, expires, 1)
+ != NGX_OK)
+ {
@@ -8431,11 +8433,16 @@ diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_output.c
+ ngx_quic_frame_t *frame;
+ ngx_quic_connection_t *qc;
+
++ u_char tbuf[NGX_QUIC_TOKEN_BUF_SIZE];
++
+ qc = ngx_quic_get_connection(c);
+
+ expires = ngx_time() + NGX_QUIC_NEW_TOKEN_LIFETIME;
+
-+ if (ngx_quic_new_token(c, path->sockaddr, path->socklen,
++ token.data = tbuf;
++ token.len = NGX_QUIC_TOKEN_BUF_SIZE;
++
++ if (ngx_quic_new_token(c->log, path->sockaddr, path->socklen,
+ qc->conf->av_token_key, &token, NULL, expires, 0)
+ != NGX_OK)
+ {
@@ -8637,9 +8644,9 @@ diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_output.c
+
+ return size;
+}
-diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_output.h
+diff -r a63d0a70afea src/event/quic/ngx_event_quic_output.h
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
-+++ b/src/event/quic/ngx_event_quic_output.h Tue Jul 19 12:13:58 2022 -0400
++++ b/src/event/quic/ngx_event_quic_output.h Fri Sep 16 14:00:14 2022 -0400
@@ -0,0 +1,40 @@
+
+/*
@@ -8681,10 +8688,10 @@ diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_output.h
+ size_t min, ngx_quic_path_t *path);
+
+#endif /* _NGX_EVENT_QUIC_OUTPUT_H_INCLUDED_ */
-diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_protection.c
+diff -r a63d0a70afea src/event/quic/ngx_event_quic_protection.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
-+++ b/src/event/quic/ngx_event_quic_protection.c Tue Jul 19 12:13:58 2022 -0400
-@@ -0,0 +1,1177 @@
++++ b/src/event/quic/ngx_event_quic_protection.c Fri Sep 16 14:00:14 2022 -0400
+@@ -0,0 +1,1123 @@
+
+/*
+ * Copyright (C) Nginx, Inc.
@@ -8697,8 +8704,6 @@ diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_protection.c
+#include <ngx_event_quic_connection.h>
+
+
-+/* RFC 5116, 5.1 and RFC 8439, 2.3 for all supported ciphers */
-+#define NGX_QUIC_IV_LEN 12
+/* RFC 9001, 5.4.1. Header Protection Application: 5-byte mask */
+#define NGX_QUIC_HP_LEN 5
+
@@ -8723,25 +8728,23 @@ diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_protection.c
+} ngx_quic_ciphers_t;
+
+
-+typedef struct ngx_quic_secret_s {
-+ ngx_str_t secret;
-+ ngx_str_t key;
-+ ngx_str_t iv;
-+ ngx_str_t hp;
-+} ngx_quic_secret_t;
-+
-+
+typedef struct {
-+ ngx_quic_secret_t client;
-+ ngx_quic_secret_t server;
-+} ngx_quic_secrets_t;
++ size_t out_len;
++ u_char *out;
+
++ size_t prk_len;
++ const uint8_t *prk;
+
-+struct ngx_quic_keys_s {
-+ ngx_quic_secrets_t secrets[NGX_QUIC_ENCRYPTION_LAST];
-+ ngx_quic_secrets_t next_key;
-+ ngx_uint_t cipher;
-+};
++ size_t label_len;
++ const u_char *label;
++} ngx_quic_hkdf_t;
++
++#define ngx_quic_hkdf_set(label, out, prk) \
++ { \
++ (out)->len, (out)->data, \
++ (prk)->len, (prk)->data, \
++ (sizeof(label) - 1), (u_char *)(label), \
++ }
+
+
+static ngx_int_t ngx_hkdf_expand(u_char *out_key, size_t out_len,
@@ -8765,8 +8768,8 @@ diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_protection.c
+ ngx_str_t *ad, ngx_log_t *log);
+static ngx_int_t ngx_quic_tls_hp(ngx_log_t *log, const EVP_CIPHER *cipher,
+ ngx_quic_secret_t *s, u_char *out, u_char *in);
-+static ngx_int_t ngx_quic_hkdf_expand(ngx_pool_t *pool, const EVP_MD *digest,
-+ ngx_str_t *out, ngx_str_t *label, const uint8_t *prk, size_t prk_len);
++static ngx_int_t ngx_quic_hkdf_expand(ngx_quic_hkdf_t *hkdf,
++ const EVP_MD *digest, ngx_log_t *log);
+
+static ngx_int_t ngx_quic_create_packet(ngx_quic_header_t *pkt,
+ ngx_str_t *res);
@@ -8832,8 +8835,8 @@ diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_protection.c
+
+
+ngx_int_t
-+ngx_quic_keys_set_initial_secret(ngx_pool_t *pool, ngx_quic_keys_t *keys,
-+ ngx_str_t *secret)
++ngx_quic_keys_set_initial_secret(ngx_quic_keys_t *keys, ngx_str_t *secret,
++ ngx_log_t *log)
+{
+ size_t is_len;
+ uint8_t is[SHA256_DIGEST_LENGTH];
@@ -8870,12 +8873,12 @@ diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_protection.c
+ .len = is_len
+ };
+
-+ ngx_log_debug0(NGX_LOG_DEBUG_EVENT, pool->log, 0,
++ ngx_log_debug0(NGX_LOG_DEBUG_EVENT, log, 0,
+ "quic ngx_quic_set_initial_secret");
+#ifdef NGX_QUIC_DEBUG_CRYPTO
-+ ngx_log_debug3(NGX_LOG_DEBUG_EVENT, pool->log, 0,
++ ngx_log_debug3(NGX_LOG_DEBUG_EVENT, log, 0,
+ "quic salt len:%uz %*xs", sizeof(salt), sizeof(salt), salt);
-+ ngx_log_debug3(NGX_LOG_DEBUG_EVENT, pool->log, 0,
++ ngx_log_debug3(NGX_LOG_DEBUG_EVENT, log, 0,
+ "quic initial secret len:%uz %*xs", is_len, is_len, is);
+#endif
+
@@ -8891,28 +8894,20 @@ diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_protection.c
+ client->iv.len = NGX_QUIC_IV_LEN;
+ server->iv.len = NGX_QUIC_IV_LEN;
+
-+ struct {
-+ ngx_str_t label;
-+ ngx_str_t *key;
-+ ngx_str_t *prk;
-+ } seq[] = {
++ ngx_quic_hkdf_t seq[] = {
+ /* labels per RFC 9001, 5.1. Packet Protection Keys */
-+ { ngx_string("tls13 client in"), &client->secret, &iss },
-+ { ngx_string("tls13 quic key"), &client->key, &client->secret },
-+ { ngx_string("tls13 quic iv"), &client->iv, &client->secret },
-+ { ngx_string("tls13 quic hp"), &client->hp, &client->secret },
-+ { ngx_string("tls13 server in"), &server->secret, &iss },
-+ { ngx_string("tls13 quic key"), &server->key, &server->secret },
-+ { ngx_string("tls13 quic iv"), &server->iv, &server->secret },
-+ { ngx_string("tls13 quic hp"), &server->hp, &server->secret },
++ ngx_quic_hkdf_set("tls13 client in", &client->secret, &iss),
++ ngx_quic_hkdf_set("tls13 quic key", &client->key, &client->secret),
++ ngx_quic_hkdf_set("tls13 quic iv", &client->iv, &client->secret),
++ ngx_quic_hkdf_set("tls13 quic hp", &client->hp, &client->secret),
++ ngx_quic_hkdf_set("tls13 server in", &server->secret, &iss),
++ ngx_quic_hkdf_set("tls13 quic key", &server->key, &server->secret),
++ ngx_quic_hkdf_set("tls13 quic iv", &server->iv, &server->secret),
++ ngx_quic_hkdf_set("tls13 quic hp", &server->hp, &server->secret),
+ };
+
+ for (i = 0; i < (sizeof(seq) / sizeof(seq[0])); i++) {
-+
-+ if (ngx_quic_hkdf_expand(pool, digest, seq[i].key, &seq[i].label,
-+ seq[i].prk->data, seq[i].prk->len)
-+ != NGX_OK)
-+ {
++ if (ngx_quic_hkdf_expand(&seq[i], digest, log) != NGX_OK) {
+ return NGX_ERROR;
+ }
+ }
@@ -8922,40 +8917,34 @@ diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_protection.c
+
+
+static ngx_int_t
-+ngx_quic_hkdf_expand(ngx_pool_t *pool, const EVP_MD *digest, ngx_str_t *out,
-+ ngx_str_t *label, const uint8_t *prk, size_t prk_len)
++ngx_quic_hkdf_expand(ngx_quic_hkdf_t *h, const EVP_MD *digest, ngx_log_t *log)
+{
+ size_t info_len;
+ uint8_t *p;
+ uint8_t info[20];
+
-+ if (out->data == NULL) {
-+ out->data = ngx_pnalloc(pool, out->len);
-+ if (out->data == NULL) {
-+ return NGX_ERROR;
-+ }
-+ }
-+
-+ info_len = 2 + 1 + label->len + 1;
++ info_len = 2 + 1 + h->label_len + 1;
+
+ info[0] = 0;
-+ info[1] = out->len;
-+ info[2] = label->len;
-+ p = ngx_cpymem(&info[3], label->data, label->len);
++ info[1] = h->out_len;
++ info[2] = h->label_len;
++
++ p = ngx_cpymem(&info[3], h->label, h->label_len);
+ *p = '\0';
+
-+ if (ngx_hkdf_expand(out->data, out->len, digest,
-+ prk, prk_len, info, info_len)
++ if (ngx_hkdf_expand(h->out, h->out_len, digest,
++ h->prk, h->prk_len, info, info_len)
+ != NGX_OK)
+ {
-+ ngx_ssl_error(NGX_LOG_INFO, pool->log, 0,
-+ "ngx_hkdf_expand(%V) failed", label);
++ ngx_ssl_error(NGX_LOG_INFO, log, 0,
++ "ngx_hkdf_expand(%*s) failed", h->label_len, h->label);
+ return NGX_ERROR;
+ }
+
+#ifdef NGX_QUIC_DEBUG_CRYPTO
-+ ngx_log_debug3(NGX_LOG_DEBUG_EVENT, pool->log, 0,
-+ "quic expand %V key len:%uz %xV", label, out->len, out);
++ ngx_log_debug5(NGX_LOG_DEBUG_EVENT, log, 0,
++ "quic expand \"%*s\" len:%uz %*xs",
++ h->label_len, h->label, h->out_len, h->out_len, h->out);
+#endif
+
+ return NGX_OK;
@@ -9334,11 +9323,12 @@ diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_protection.c
+
+
+ngx_int_t
-+ngx_quic_keys_set_encryption_secret(ngx_pool_t *pool, ngx_uint_t is_write,
++ngx_quic_keys_set_encryption_secret(ngx_log_t *log, ngx_uint_t is_write,
+ ngx_quic_keys_t *keys, enum ssl_encryption_level_t level,
+ const SSL_CIPHER *cipher, const uint8_t *secret, size_t secret_len)
+{
+ ngx_int_t key_len;
++ ngx_str_t secret_str;
+ ngx_uint_t i;
+ ngx_quic_secret_t *peer_secret;
+ ngx_quic_ciphers_t ciphers;
@@ -9351,12 +9341,13 @@ diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_protection.c
+ key_len = ngx_quic_ciphers(keys->cipher, &ciphers, level);
+
+ if (key_len == NGX_ERROR) {
-+ ngx_ssl_error(NGX_LOG_INFO, pool->log, 0, "unexpected cipher");
++ ngx_ssl_error(NGX_LOG_INFO, log, 0, "unexpected cipher");
+ return NGX_ERROR;
+ }
+
-+ peer_secret->secret.data = ngx_pnalloc(pool, secret_len);
-+ if (peer_secret->secret.data == NULL) {
++ if (sizeof(peer_secret->secret.data) < secret_len) {
++ ngx_log_error(NGX_LOG_ALERT, log, 0,
++ "unexpected secret len: %uz", secret_len);
+ return NGX_ERROR;
+ }
+
@@ -9367,22 +9358,17 @@ diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_protection.c
+ peer_secret->iv.len = NGX_QUIC_IV_LEN;
+ peer_secret->hp.len = key_len;
+
-+ struct {
-+ ngx_str_t label;
-+ ngx_str_t *key;
-+ const uint8_t *secret;
-+ } seq[] = {
-+ { ngx_string("tls13 quic key"), &peer_secret->key, secret },
-+ { ngx_string("tls13 quic iv"), &peer_secret->iv, secret },
-+ { ngx_string("tls13 quic hp"), &peer_secret->hp, secret },
++ secret_str.len = secret_len;
++ secret_str.data = (u_char *) secret;
++
++ ngx_quic_hkdf_t seq[] = {
++ ngx_quic_hkdf_set("tls13 quic key", &peer_secret->key, &secret_str),
++ ngx_quic_hkdf_set("tls13 quic iv", &peer_secret->iv, &secret_str),
++ ngx_quic_hkdf_set("tls13 quic hp", &peer_secret->hp, &secret_str),
+ };
+
+ for (i = 0; i < (sizeof(seq) / sizeof(seq[0])); i++) {
-+
-+ if (ngx_quic_hkdf_expand(pool, ciphers.d, seq[i].key, &seq[i].label,
-+ seq[i].secret, secret_len)
-+ != NGX_OK)
-+ {
++ if (ngx_quic_hkdf_expand(&seq[i], ciphers.d, log) != NGX_OK) {
+ return NGX_ERROR;
+ }
+ }
@@ -9391,13 +9377,6 @@ diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_protection.c
+}
+
+
-+ngx_quic_keys_t *
-+ngx_quic_keys_new(ngx_pool_t *pool)
-+{
-+ return ngx_pcalloc(pool, sizeof(ngx_quic_keys_t));
-+}
-+
-+
+ngx_uint_t
+ngx_quic_keys_available(ngx_quic_keys_t *keys,
+ enum ssl_encryption_level_t level)
@@ -9456,49 +9435,23 @@ diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_protection.c
+ next->server.iv.len = NGX_QUIC_IV_LEN;
+ next->server.hp = current->server.hp;
+
-+ struct {
-+ ngx_str_t label;
-+ ngx_str_t *key;
-+ ngx_str_t *secret;
-+ } seq[] = {
-+ {
-+ ngx_string("tls13 quic ku"),
-+ &next->client.secret,
-+ ¤t->client.secret,
-+ },
-+ {
-+ ngx_string("tls13 quic key"),
-+ &next->client.key,
-+ &next->client.secret,
-+ },
-+ {
-+ ngx_string("tls13 quic iv"),
-+ &next->client.iv,
-+ &next->client.secret,
-+ },
-+ {
-+ ngx_string("tls13 quic ku"),
-+ &next->server.secret,
-+ ¤t->server.secret,
-+ },
-+ {
-+ ngx_string("tls13 quic key"),
-+ &next->server.key,
-+ &next->server.secret,
-+ },
-+ {
-+ ngx_string("tls13 quic iv"),
-+ &next->server.iv,
-+ &next->server.secret,
-+ },
++ ngx_quic_hkdf_t seq[] = {
++ ngx_quic_hkdf_set("tls13 quic ku",
++ &next->client.secret, ¤t->client.secret),
++ ngx_quic_hkdf_set("tls13 quic key",
++ &next->client.key, &next->client.secret),
++ ngx_quic_hkdf_set("tls13 quic iv",
++ &next->client.iv, &next->client.secret),
++ ngx_quic_hkdf_set("tls13 quic ku",
++ &next->server.secret, ¤t->server.secret),
++ ngx_quic_hkdf_set("tls13 quic key",
++ &next->server.key, &next->server.secret),
++ ngx_quic_hkdf_set("tls13 quic iv",
++ &next->server.iv, &next->server.secret),
+ };
+
+ for (i = 0; i < (sizeof(seq) / sizeof(seq[0])); i++) {
-+
-+ if (ngx_quic_hkdf_expand(c->pool, ciphers.d, seq[i].key, &seq[i].label,
-+ seq[i].secret->data, seq[i].secret->len)
-+ != NGX_OK)
-+ {
++ if (ngx_quic_hkdf_expand(&seq[i], ciphers.d, c->log) != NGX_OK) {
+ return NGX_ERROR;
+ }
+ }
@@ -9596,7 +9549,7 @@ diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_protection.c
+ }
+
+ secret.key.len = sizeof(key);
-+ secret.key.data = key;
++ ngx_memcpy(secret.key.data, key, sizeof(key));
+ secret.iv.len = NGX_QUIC_IV_LEN;
+
+ if (ngx_quic_tls_seal(ciphers.c, &secret, &itag, nonce, &in, &ad, pkt->log)
@@ -9862,10 +9815,10 @@ diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_protection.c
+
+ return NGX_OK;
+}
-diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_protection.h
+diff -r a63d0a70afea src/event/quic/ngx_event_quic_protection.h
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
-+++ b/src/event/quic/ngx_event_quic_protection.h Tue Jul 19 12:13:58 2022 -0400
-@@ -0,0 +1,37 @@
++++ b/src/event/quic/ngx_event_quic_protection.h Fri Sep 16 14:00:14 2022 -0400
+@@ -0,0 +1,75 @@
+
+/*
+ * Copyright (C) Nginx, Inc.
@@ -9884,11 +9837,49 @@ diff -r 5da2c0902e8e src/event/quic/ngx_event_quic_protection.h
+
+#define NGX_QUIC_ENCRYPTION_LAST ((ssl_encryption_application) + 1)
+
++/* RFC 5116, 5.1 and RFC 8439, 2.3 for all supported ciphers */
++#define NGX_QUIC_IV_LEN 12
++
++/* largest hash used in TLS is SHA-384 */
++#define NGX_QUIC_MAX_MD_SIZE 48
++
++
++typedef struct {
++ size_t len;
++ u_char data[NGX_QUIC_MAX_MD_SIZE];
++} ngx_quic_md_t;
++
++
++typedef struct {
++ size_t len;
++ u_char data[NGX_QUIC_IV_LEN];
++} ngx_quic_iv_t;
++
++
++typedef struct {
++ ngx_quic_md_t secret;
++ ngx_quic_md_t key;
++ ngx_quic_iv_t iv;
++ ngx_quic_md_t hp;
++} ngx_quic_secret_t;
++
++
++typedef struct {
++ ngx_quic_secret_t client;
++ ngx_quic_secret_t server;
++} ngx_quic_secrets_t;
+
-+ngx_quic_keys_t *ngx_quic_keys_new(ngx_pool_t *pool);
-+ngx_int_t ngx_quic_keys_set_initial_secret(ngx_pool_t *pool,
-+ ngx_quic_keys_t *keys, ngx_str_t *secret);
-+ngx_int_t ngx_quic_keys_set_encryption_secret(ngx_pool_t *pool,
++
++struct ngx_quic_keys_s {
++ ngx_quic_secrets_t secrets[NGX_QUIC_ENCRYPTION_LAST];
++ ngx_quic_secrets_t next_key;
++ ngx_uint_t cipher;
++};
++
++
++ngx_int_t ngx_quic_keys_set_initial_secret(ngx_quic_keys_t *keys,
*** 698 LINES SKIPPED ***